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Prospective Safety Analysis and the Complex Aviation System 


Brian E. Smith 

“If there is one attitude more dangerous than to assume that a future war will be just 
like the last one, it is to imagine that it will be so utterly different we can afford to 
ignore all the lessons of the last one.” 

John C. Slessor (1897-1979) from Air Power and Armies 6 1936. 


ABSTRACT 

Fatal accident rates in commercial passenger aviation are at historic lows yet have plateaued 
and are not showing evidence of further safety advances. Modem aircraft accidents reflect 
both historic causal factors and new unexpected “Black Swan” events. The ever-increasing 
complexity of the aviation system, along with its associated technology and organizational 
relationships, provides fertile ground for fresh problems. It is important to take a proactive 
approach to aviation safety by working to identify novel causation mechanisms for future 
aviation accidents before they happen. Progress has been made in using of historic data to 
identify the telltale signals preceding aviation accidents and incidents, using the large 
repositories of discrete and continuous data on aircraft and air traffic control performance 
and information reported by front-line personnel. Nevertheless, the aviation community is 
increasingly embracing predictive approaches to aviation safety. The “prospective workshop” 
early assessment tool described in this paper represents an approach toward this prospective 
mindset— one that attempts to identify the future vectors of aviation and asks the question: 
“What haven’t we considered in our current safety assessments?” New causation 
mechanisms threatening aviation safety will arise in the future because new (or revised) 
systems and procedures will have to be used under future contextual conditions that have not 
been properly anticipated. Many simulation models exist for demonstrating the safety cases 
of new operational concepts and technologies. However the results from such models can 
only be as valid as the accuracy and completeness of assumptions made about the future 
context in which the new operational concepts and/or technologies will be immersed. Of 
course that future has not happened yet. What is needed is a reasonably high-confidence 
description of the future operational context, capturing critical contextual characteristics that 
modulate both the likelihood of occurrence of hazards, and the likelihood that those hazards 
will lead to negative safety events. Heuristics extracted from scenarios, questionnaires, and 
observed trends from scanning the aviation horizon may be helpful in capturing those future 
changes in a way conducive to safety assessment. What is also needed is a checklist of 
potential sources of emerging risk that arise from organizational features that are frequently 
overlooked. The ultimate goal is to develop a pragmatic, workable method for using 
descriptions of the future aviation context, to generate valid predictions of safety risks. 
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1. Introduction 


1.1 System Complexity 

Commercial aviation at the beginning of the 21 st century is a highly complex system of systems. It 
features airborne, ground, and space-based technology elements, complex supply chains, a 
comprehensive certification and operations regulatory environment, a diverse multitude of operators 
at many levels, and a complex web of operational procedures and training systems for those 
operators. Commercial aviation possesses the fundamental characteristics of diversity, 
connectedness, interdependence, adaptation, non-linearity, and emergent behavior that are found in 
complex systems (Page, 2007). Owing to its distributed architectures and redundancies, this complex 
system of systems can be extraordinarily resilient. Conversely, the interdependent relationships and 
characteristics of emergent behavior can result in the rapid propagation of undesired states through 
the system, with a risk of evolving into singular, spectacular, tragic events. Although the behavior of 
the commercial aviation system can be extremely sensitive to subtle and rare events, broadly 
speaking it demonstrates characteristic repeatable generic safety-risk behaviors (International Risk 
Governance Council, 2011). Predicting these characteristic system behaviors is a key goal for 
aviation safety, and underlies research based on both retrospective data analysis as well as formal 
modeling techniques. 

1.2 Aviation “Diagnostics” 

A great deal of work is currently taking place to improve our ability to sense and recognize signals 
of change that are weak (or buried in noise) but operationally significant. Much of this activity is 
centered on extraction of useful insights from repositories such as the Aviation Safety Information 
Sharing and Analysis System (ASIAS). The “Big Data” that is part of this collection has four 
important characteristics 1 : 1) It comes in at high velocity; 2) It is generated in high volumes; 3) It 
contains a wide variability of heterogeneous types (continuous and discrete signals, textual 
information often with non-standardized taxonomies and data descriptions); and 4) It has a wide 
variation in quality. Sensors generating the raw signals often fail at higher rates than the systems 
they monitor. Although the analysis of such large, heterogeneous repositories of operational data can 
find unknown statistical correlations in massive datasets, the “haystacks” are growing exponentially 
yet the “needles” found by the analyses may not all have the same value. Big Data by itself cannot 
differentiate between spurious and operationally significant correlations to fully assess social factors 
for accidents, and the context of human decisions in moments of crisis. For this reason, the human 
analyst will always be required. In addition, the results of analysis of huge datasets are subject to the 
vagaries of how the data is structured and analyzed (Brooks, 2013). Big Data is historical and is, 
necessarily, looking in the rear- view mirror. Other than the limited period of time for which 
extrapolations and seasonal trends from those data are valid, Big Data cannot, without assistance 
from human analysts, generate reliable looks into the future (although some historical conclusions 
can be extended to short-term future time horizons over which seasonal trends can be extrapolated). 
Future safety risk in aviation will derive from familiar causal and contributing factors that generate 
the same bad outcomes, but in new ways, operating in future contexts that haven’t happened yet, and 
will diverge from past trends. 


1 Articulated by Dr. Ashok Srivastava, formerly of NASA Ames Research Center 
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From a predictive viewpoint, there are weaknesses in risk analysis based solely on event occurrences 
(Fletcher, 2012): 

• Unless information across and within each level is effectively integrated, the analysis may 
not encourage “systems thinking.” 

• It is reactive to existing threats buried in mounds of data and may not be predictive beyond a 
near-term timescale. 

• It does not have the ability to identify deep systemic problems such as organizational or 
external factors in the surrounding environment that are not part of any of the datasets used 
for the safety analysis. 

• It captures only unsatisfactory workplace conditions and events not systemic functional 
problems . 

• It may not fully identify mitigations for emergent hazards arising within complex systems. 
The demonstrated precursors of unacceptable risks today could very well be among the 
precursors whose confluence will influence the safety risks of the future. 

• Often, event occurrence data do not record what happened “when things went well”— what 
enabled the involved parties to avoid the accident or incident. 


Stakeholder groups frequently predict changes affecting aviation as part of normal due diligence. 
These predicted changes could be contrasted with actual changes detected using monitoring 
methods. The quadrants in Figure 1 illustrate the notional categories of the resulting comparisons 
(Thiel, 1961). 
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Figure 1 .Notional categories of the resulting comparisons . 


In some cases, predictions will be accurate (along the 45-degree line). Various sectors of those 
quadrants include over-estimation, under-estimation, and the shaded quadrants in which the vector 
of actual change is actually opposite the prediction, so-called “turning points.” These conditions can 
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often lead to ruptures — sudden discontinuities in a stream of events that are continuous under normal 
circumstances— and Black Swan 2 events (Taleb, 2010). The “rupture” problem is a characteristic of 
Catastrophe Theory, where tiny differences can result in large downstream changes due to non-linear 
system dynamics. 

Looking at only the population of observed past events, probability is defined as the number of 
successful trials divided by the total number of (successful and unsuccessful) trials. For some classes 
of problems, it may be possible to estimate from observed distribution the probability of events more 
extreme than any yet observed. But probability in the future sense of risk is a “degree of belief’ 
about the likelihood of future events. Risk estimation for the future chance of loss might come from 
highly sophisticated modeling and simulation derived from statistical analyses of past experiments 
or operational data. Various modeling approaches seek to reduce or at least bound the uncertainty. 

1.3 The Uncertain Future 

Unpredictable, disruptive changes will alter the nature and estimates of the magnitudes of residual 
risk. These unforeseen phenomena can and will happen. 

In other words, the ultimate goal is to make decisions today to avoid unacceptable risks likely to 
emerge tomorrow— to manage both existing risks that could evolve and become unacceptable as 
well as entirely new risks. The prospection workshop technique described in Section 3 of this 
memorandum may be very helpful in this regard. The International Risk Governance Council 3 has 
identified three categories of technology-related emerging risk (International Risk Governance 
Council, 2011) as shown in Table 1. 

There is an implicit assumption that in order to make decisions today to control the three categories 
of risks described above that are likely to emerge tomorrow, there is a need to identify these risks, 
analyze them, and assess their potential impact... as we do to make decisions today to control today’s 
risks. Although intuitively sound, this assumption relies on another assumption that is: It is possible 
to fully identify, characterize, analyze, and assess tomorrow’ s risks. 


2 

Taleb defines a Black Swan as a random event satisfying the following three properties (Taleb, The Black Swan: Why Don’t We 
Learn that We Don’t Learn?, 2004): large impact, incomputable probabilities, and surprise. First, its occurrence has a 
disproportionately large impact -the impact being extremely large, no matter how low the associated probability. The expected impact 
times its probability, if quantified, would be significant. Second, the events have a small but incomputable probability based on prior 
information. Third, a vicious property is its surprise effect: at a given time of observation there is no convincing set of precursors 
pointing to an increased likelihood of the event. 

3 

http://irgc.org/ 
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Table 1. Technology-Related Emerging Risk 


Category 

Dominant 

Feature 

Governance Issue 

Examples 

Uncertain 
impacts: 
Uncertainty 
resulting from 
advancing 
science and 
technological 
innovation. 

Lack of 
knowledge and 
experience 
about 

consequences 
that could result 
from deploying 
new 

technology. 

Given the uncertainties about 
potential consequences, what 
risk management measures are 
adequate and needed for 
technologies, processes or 
products with significant 
benefits but unknown risks? 

• Products and 
processes in 
nanotechnology 
or synthetic 
biology. 

• Health impacts of 
EMF. 

• Carbon capture 
and storage 
technologies. 

Systemic 
impacts: 
Technological 
systems with 
multiple 
interactions 
and systemic 
dependencies. 

System 

complexity and 
interconnected- 
ness: Loss of 
safety margins 
within evolving 
and interacting 
(complex) 
systems. 

On-going examination of the 
state of the system and planning 
for its future (Are safety 
margins adequate? Are the right 
choices being made for system 
components as the system 
evolves in time?). 

• Utility networks 
(gas and 
electricity). 

• Ecosystems. 

• Climate change. 

Unexpected 

impacts: 

Established 

technologies 

in evolving 

environments 

or contexts. 

Surprises from 
knowable risk 
factors: Unfore- 
seen or changed 
circumstances. 

Governance may seem to be 
well established but may in fact 
be inadequate for a variety of 
reasons. (Is there complacency, 
resulting in failure to observe 
and adapt to changing, 
potentially dangerous, 
conditions?) 

• Commercial 
aviation safety. 

• Nuclear power. 

• Ageing of 
infrastructures. 
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1.4 Challenges of Rare (Accident) Events 

The common features of major aviation accidents fitting into the rare event category are all too 
familiar (Duffey, 2011). These characteristics are sometimes called the Seven Themes, covering the 
aspects of causation, rationalization, retribution, and prevention. A poignant example is the Air 
France 447 accident. 

The Seven Themes are described in the following paragraphs. 

First: Major losses, failures, and outcomes all share the very same and very human four phases or 
warning signs: 

• Unfolding of the precursors and initiating circumstances 

• Confluence of events and circumstances in unexpected ways 

• Escalation where the unrecognized unknowingly happens 

• Denial and blame shift before final acceptance 

Second: As always, these incidents all involving humans, were not expected but clearly 
understandable sometimes due to management emphasis on production and profit rather than safety 
and risk, from gaps in the operating and management requirements, and from lax inspection and 
inadequate regulations. 

Third: These events have all caused a spate of media coverage, retroactive soul-searching, “culture” 
studies and surveys, regulation review, revisions to laws, guidelines and procedures, new limits and 
reporting legislation, which all echo perfectly the present emphasis on limits to the “bonus culture” 
and “risk taking” that are or were endemic in certain financial circles. 

Fourth: The failures were so-called “rare events” and involved obvious dynamic human lapses 
and errors, and as such do not follow the usual statistical rules and laws that govern large quasi- 
static samples. Static samples, or the multitudinous outcome distributions (like normal, 
lognormal and Weibull) that dominate conventional statistical thinking, but clearly require 
analysis and understanding of the role of human learning, experience and skill in making 
mistakes and taking decisions. 

Fifth: These events all involve humans operating inside and/or with a system, and contain real 
information about what we know about what we do not know, being the unexpected, the unknown, 
the rare and low occurrence rate events, with large consequences and highlighting our own 
inadequate predictive capability, so that to predict we must use Bayesian-type likelihood estimation. 

Sixth: There is the learning paradox, that if we do not learn we have more risk, but to learn we must 
perversely have the very events we seek to avoid, which also have a large and finite risk of re- 
occurrence; and we ultimately have more risk from events we have not had the chance to leam 
about, being the unknown, rare or unexpected. 

Seventh: These events were all preventable but only afterwards. 20/20 hindsight, soul-searching, 
and sometimes massive inquiries reveal what was so obvious time after time: the same human 
fallibilities, performance lapses, supervisory and inspections gaps, bad habits, inadequate rules and 
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legislation, management failures, and risk taking behaviors all should have been— and were— self- 
evident and yet were left uncorrected. People learn and retain lessons; organizations much less so. 

We claim to leam from these themes each time, perhaps introducing corrective actions and lessons 
learned, thus hopefully reducing the outcome rate or the chance of re-occurrence. 

In aviation, there is currently broad consensus on a set of undesirable events and conditions that are 
on the minds of the aviation safety community— the things that keep safety experts up at night. 
Exemplar issues include: 

• Aircraft controllability in adverse situations 

• Deviations from air traffic control clearances 

• In-flight fire, smoke, and fume events leading to ATB/diversions, customer evacuations 

• Loss of separation 

• Safety Net Penetration (terrain awareness warning systems/traffic collision avoidance 
systems/minimum safe altitude warning systems) 

• Loss of navigation capability 

• Passenger injury 

• High-speed rejected take-offs 

• Runway excursions 

• Runway incursions 

• Luel starvation, leakage 

• Stall warnings 

• Unusual attitudes 

• Aircraft mis-configured for take-off 

• Abnormal runway contact 

• Loss of or unreliable air data 

• Unstabilized approach 

• Cabin/in-flight safety/turbulence 

• Landing safety 

• Lithium batteries/HazMat/DG 

• Automation dependence/integration of modern cockpit and effect on piloting skills 

• Stall/upset recovery 

• Maintenance safety (safety programs: Aviation Safety Action Program reporting; ‘just 
culture;’ significant maintenance program cost overruns) 

• Weight and balance; cargo handling 

• Bird strikes 

• Loss of control 

• Experience level of pilots and mechanics 

• Timely weather intelligence 

• Procedural compliance for key operational items such as flap extension, weight and balance 
determination, and deicing 

• Safety support and integration with Latigue Risk Management Program (Part 117) 

• Training: programs— content, duration, pace 

• Rapid expansion/consolidation; effect on operations across the board 

• Latigue and duty time (to include all employee groups) 

• Contaminated runway operations 
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Prediction of the precursors of these events and conditions from prospective analysis is the goal of 
any team looking ahead at safety. Such teams desire to identify novel future ways to generate the 
same set of historic bad outcomes: collision with ground or another object and in-flight breakup 
(deaths due to in-flight turbulence and terrorism not included). 

1.5 Black (and White) Swans 

The reader is reminded that risks, manifesting themselves as accidents in the future, will almost 
certainly include “Black Swan” events— those that have a surprisingly major impact (to the 
observer) yet after the fact are rationalized by hindsight, as if they should have been expected. That 
is, relevant data were available but unaccounted for in Safety Risk Management (SRM) programs. 
But not all future aviation accidents will be Black Swans. Some of the most recent accidents are well 
known White Swans (e.g. runway excursions) and significant efforts are underway to implement the 
known and available solutions for these historic accident types. 

The Black Swan theory explains: 

• the disproportionate role of high-impact, hard-to-predict, and rare events that are beyond the 
realm of normal expectations in history, science, finance, and technology. 

• the difficulty of predicting the probability of consequential rare events using scientific 
methods (owing to the very nature of and non-Gaussian, log distribution of small 
probabilities and the variability of human performance in novel situations). 

• the psychological biases that make people individually and collectively blind to uncertainty 
and unaware of the massive role of rare events in historical affairs. 

A challenge for proactive safety assessment of future systems is overcoming the shortcomings of 
approaches based solely on retrospective analysis of the accident, incident, and operational data 
within the well-known Heinrich pyramid (SKYbrary, 2011). This pyramid theory postulates that the 
number of events and their characteristics that occur in a lower level of the pyramid are precursors 
for the events occurring in the level above. As both the reliability of components/systems and the 
complexity of those systems increases especially in newer fleets, the dynamic interactions and 
interdependencies among the technical, human, and organizational factors will become the dominant 
sources of risk in the future aviation system. 

1.6 Challenges of Modeling 

There are at least three challenges faced by current safety models: 

• First, some traditional models do not capture the complexity of the commercial aviation system 
in sufficient detail to provide emergent predictions. Linear models, such as event sequence 
diagrams and fault/event trees, fit into this category. Those that do generate emergent 
behaviors require significant effort to fully model the path-dependent, behavioral transitions in 
multi-agent cooperative control systems (Valiusaityte, 2010). Models that can capture 
emergent behavior such as Air Man-machine Integrated Design and Analysis System (Air 
MIDAS) require modeling of the underlying structures such as memory and cognition that 
interact within a human operator during execution of a sequence of tasks and produce possible 
branch points (Gore, 2002). 

• Second, some models are unable to detect and simulate “cascading failures,” where a failure of 
one component in a system can cause failures of other components. The more tightly the 
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components are coupled, the faster and further a shock or failure can propagate throughout the 
system. It is usually not a single predictable failure that turns incidents into accidents; it is the 
second or third one that comes out of the blue at the same time one— as illustrated in the well- 
known reason “Swiss-cheese” model (Reason, 1997). 

• Third, it is extremely difficult to appropriately characterize the world of tomorrow. No model 
can provide useful predictions with an inaccurate picture of the environment being modeled 4 . 
This future world is a critical “boundary condition” or set of assumptions. When model results 
are presented there is a requirement to articulate the simplifying assumptions describing the 
complex systems that is the focus of the safety analysis. Even the prospection-based approach 
proposed in this paper may not be any less subject to this problem. 

1.7 Contributing Factors to Emerging Risk 

Commercial aviation contains an extraordinarily large number of hazards and safety nets. It is 
therefore critical to focus scarce resources on critical hazard generation mechanisms that affect key 
safety nets in order to produce high-value solutions. Unforeseen hazards can emerge from indirect 
factors that have been articulated by the International Risk Governance Council (see Table 2 on the 
next page). 

If robust and repeatable means to detect early signals of risk leveraging these factors are not 
systematically employed, there is a large chance that the emerging risks will materialize with 
maximum impact, given that no one saw them coming in time to undertake prevention or 
mitigation efforts. 

It is particularly important to systematically address reasons for not detecting future risk, how to 
know what to look for, and then what to do with the resulting information. The following is a list of 
these phenomena (emerging risks: sources, drivers, and governance issues, 2010): 

• Detecting “hidden” concentrations or accumulations of hazard and risk exposures whose size, 
scale and impact could have a material adverse effect. 

• Complex and “opaque” products or services which are understood by only a few experts. 

• Looking for discontinuities or tipping points which indicate either unclear “rules of the 
game” or a likely change. 

• Lengthy dependent “chains” of any type since they are only as strong as the “weakest link.” 

• More scenario analysis and “stress testing” outside the range of “business as usual.” 

• Imagining unintended consequences of public policy and regulation, and looking for 
connections which could arise between “seemingly unrelated” trends. 

• Measuring trends in diverging views between groups on critical issues such as automation 
implementation, flight crew training and demographics, and the changing regulatory 
landscape, since such diverging views can be precursors to emerging risks or can complicate 
efforts at taking precautionary or mitigation measures. The LAA Safety Risk Management 
Policy Directive 8040.4 Rev A describes how various lines of business in that agency are to 
handle hazards once identified. If various LAA lines of business disagree on identified 
hazards, that itself is a signal that those specific hazards must get escalated within the 

8040 .4 A management framework. 


4 Communication from Dr. Alfred Roelen, Dutch Aerospace Laboratory, NLR, November 2011. 
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Table 2. Indirect Sources of Hazards 


Indirect Source 

Descrition of the Factor 

Scientific unknowns 

Whether tractable or intractable, these unknowns may or may 
not contribute to risks being unanticipated, unnoticed, and 
over- or under-estimated. 

Loss of safety margins 

The subtle loss of the slack or buffering capacity in tightly 
coupled systems operating at higher levels of stress. 

Positive feedback 

Amplification of a change or a perturbation that can be de- 
stabilizing and amplify consequences of emerging risk. 

Varying susceptibilities 

Risk susceptibilities differing from one population to 
another. E.g., risk to airlines operating in mountainous 
regions versus oceanic. 

Conflicting interests 

Occur when risk management efforts encounter opposition 
on the basis of contested science or interpretations of 
data/values. 

Social dynamics 

The broader context of group perception that can lead to 
narrow attribution of risks to solely technology or human 
performance failures. 

Technological advances 

Technology change not accompanied by adequate scientific 
investigations of system-wide consequences and adequacy of 
regulatory frameworks. 

Temporal asynchronicity 

Risk may be amplified if it fails to emerge within a period 
permitting early detection or beyond near-term time horizons 
of concern to economists and politicians. 

Communication 

Risks complicated or amplified by untimely, incomplete, 
misleading or absent communication. 

Information asymmetry 

Needed risk information held by some stakeholders and not 
available to others either intentionally or inadvertently 
creating mistrust and non-cooperation. 

Perverse incentives 

Risks appearing when a “checklist mentality” pervades an 
organization with people trying to meet pre-set indicators 
rather than embracing a safety culture. 

Examples in aviation domain: 

Malicious acts 

Human threats are not new but in a global system with more 
interconnected infrastructure consequences may be more far- 
reaching than in the past. 


At least four information-processing operations typically take place in real world settings when 
unexpected, emergent events occur: 1) Awareness; 2) Diagnosing; 3) Choosing a course of action; 
and 4) Responding. People and organizations often do not notice unexpected events, even if these 
events are relatively salient. This phenomenon is known as change blindness (McConkie, 1996). 
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Many tragedies in aviation can be associated with failures to detect and respond to off-nominal 
events— both those occurring in operational flight setting and those having organizational roots. 
Jones argues that the majority of safety breakdowns have their origin in the first phase (awareness or 
noticing) rather than at later stages of information processing (Jones, 1996). 

Conceptual roadblocks at the organizational level can also result in failure to detect an evolving 
crisis or emerging risk (from Robert Bea, U.C. Berkeley Center for Catastrophic Risk Management). 
Slow phase transitions are often difficult to detect, as are the events and conditions that trigger 
sudden ruptures. Safety risk analysts can benefit from concept of the “Dancing Landscape 5 .’’The 
closer a person is to the action such as a pilot, air traffic controller, or mechanic, the more aware 
they are that the safety landscape is not static. Because of the dynamic character of “dancing 
landscapes,” what to monitor among all available aviation data for weak signals of impending events 
also becomes critical. As stated by Sidney Dekker: 

“All open systems [such as commercial aviation] are continually adrift inside their 
safety envelopes. Pressures of scarcity and competition, the intransparency and size 
of complex systems, the patterns of information that surround decision makers, and 
the incrementalist nature of their decisions over time, can make .. .systems drift into 
failure. Drift is generated by normal processes of reconciling differential pressures 
[and future changes] on an organization (efficiency, capacity utilization, safety) 
against a background of uncertain technology and imperfect knowledge. Drift is 
about incrementalism contributing to extraordinary events, about the transformation 
of pressures of scarcity and competition into organizational mandates, and about the 
normalization of signals of danger so that organizational goals and “normal’’ 
assessments and decisions become aligned. In safe systems, the very processes that 
normally guarantee safety and generate organizational success can also be 
responsible for organizational demise. The same complex, intertwined socio-technical 
life that surrounds the operation of successful technology is to a large extent 
responsible for its potential [future] failure. 

Drift into failure is hard to recognize because it is about normal people doing normal 
work in (seemingly) normal organizations , not about obvious breakdowns or failures 
or errors.” (Dekker, 2005) 


2. The Prospective Approach 

Prospective safety methodologies offer a fresh approach to risk management. The prospective 
approach looks beyond past observations for insight to the future; it actively seeks out and explores 
multiple, believable future paths (as opposed to singular “predictions”) that may be relevant to a 
target safety issue. Prospective approaches can have great value as early assessment tools that don’t 
require elaborate modeling structures. Merriam Webster lists the principle meaning of ‘prospection’ 
as “the act of anticipating (foresight);” one subsidiary meaning is “the act of exploring (as for gold), 


5 In the “dancing landscape” concept. Dr. Scott Page of the University of Michigan postulates that safety landscapes 
have local peaks and valleys corresponding to specific parameters of interest. These landscapes are relatively easy to 
navigate if they are fixed and don't move with time. “Dancing landscapes” in the complex aviation system cause shifts 
of the peaks and valleys over time due to the novel structures and patterns arising from the complex set of 
interdependent, diverse, interacting, and interdependent agents and organizations present in aviation. It’s easy to lose 
one’s safety footing on a dancing landscape. 
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and we do indeed hope to create high value. The greatest challenge for the assessment of emerging 
risks is to identify credible failure scenarios that have a relatively high likelihood. Some uncertainty 
about the future cannot be eliminated, because multiple future paths have non-zero likelihood. 

2.1 Conceptual Framework 

Up to this point, it has been assumed that the reader is aware of the definitions of common safety 
terms. In some cases there are nuances to these definitions that are commonly used but not fully 
understood. In the following section two similar- sounding but slightly different concepts are defined 
and discussed: prediction and prospection. An understanding and appreciation for the key 
differences between these two concepts will be critical for development of an effective methodology 
for assessing future risks. Such a method or methods may have fundamentally different characters 
depending on whether they approach future risk from a predictive or prospective viewpoint. 

2.2 Definition of Prediction 

• Estimates of the nature of the future environment informed by expert subject-matter opinion 

• Results from simulation models based on known, deterministic relationships 

• Quantitative trend extrapolations 

2.3 Definition of Prospection 

Prospection is “the act of looking forward in time or considering the future” (Gilbert, 2006). It has 
also been used for several years in the field of Future Studies (Future Studies, 2013), and is defined 
to be "the activity of purposefully looking forward [i.e. into the future] in order to create forward 
views and/or images of the future” (Voros, 2009). Prospection identifies disruptive technologies, 
events, and conditions within aviation, some being impossible to predict, surprise influences from 
external domains not intuitively expected to be the sources of hazards and risks, and suggests 
unexpected uses of technology not anticipated by the original designers, etc. Unexpected uses of 
technology or disruptive events can be revealed by the construction of scenarios. Extrapolative 
prediction and prospective prediction are the two fundamental approaches to identifying hazards and 
risks in the future. 

In contrast to extrapolative prediction, prospective prediction assumes that the future cannot be 
derived solely through extrapolation but that sudden and unanticipated discontinuities in a stream 
of events may occur. Table 3 illustrates the fundamental conceptual differences between these 
two concepts. 
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Table 3. Extrapolative Prediction and Prespective Prediction Differences 


Extrapolative Prediction 

Prospective Prediction 

• Aims at predicting the future. 

• Aims at helping “build” the future. 

• Frequently focuses on an individual 
variable. 

• Global/systemic approach (considering all 
perspectives via multidisciplinary teams). 

• Essential to quantification. 

• Combines qualitative and quantitative 
dimensions. 

• Utilizes the continuity principle: that 
future evolutions are incremental 
extensions of past developments. 

• Takes into account ruptures, 
acknowledging the acceleration of social, 
technological, and economic changes. 


To be effective a prospective prediction approach must (Cagnin, 2007): 

• Look forward (e.g. through forecasting, trend analysis, gaming and scenarios, futurist 
writing, etc.) 

• Look across (e.g. through systemic thinking) 

• Look backwards (through historical analogy 6 , previous future-oriented studies, trend 
analysis, etc.). History is important. 

For any predictive safety process, it is important to understand the implications of the underlying 
conceptual framework on the process itself and on the expected outcomes. 

Conceptual Framework 1 . The simplest conceptual framework would consider a single 
predicted (most likely) future scenario as input. 

Conceptual Framework 2. A refinement of this conceptual framework would consider a 
set of possible scenarios (the most likely ones), each of them being studied and 
considered as certain when studied, the final result being a combination of the various 
independent analyses of the various scenarios. 

Conceptual Framework 3. A more sophisticated conceptual framework would consider 
that there is no way to define a scenario or a set of scenarios (fixed or considered 
certain when studied), but that uncertainty is part of the very nature of the input. 

Whether an anticipatory method is developed using conceptual frameworks 1 and 2 or 3 has an 
impact on the methodology itself, hence on the results. The difference between conceptual 
framework 1 and conceptual framework 2 lies more in the implementation of the method and on the 
results than on the nature of the method (Smith, 2012). 

The concepts of prospection and proactive strategy are intimately related, yet they remain distinct 
entities. Therefore it is necessary to distinguish between: 1) the anticipatory prospective phase: in 
other words, the study of possible and desirable changes, and 2) the proactive phase. In other words, 
the working out and assessing of possible strategic choices so as to be prepared for expected changes 
(pre-activity) and provoke desirable changes (pro-activity) (Godet M. w., 2010). 


6 


Henry Kissinger once remarked, “History is not, of course, a cookbook... It teaches by analogy, not by maxims.” 
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2.4 Scenarios as Aids to Prospection 

When the world is highly unpredictable and we are working from a limited range of expectations, 
belief constructs involving safety will frequently be proved wrong. Scenario planning offers a 
framework for developing more resilient policies and practices when faced with uncontrollable, 
irreducible uncertainty. A scenario in this context is an account of a plausible future. Scenario 
planning consists of using a few contrasting scenarios to explore the uncertainty surrounding the 
future consequences of a specific technology decision or safety issue. Ideally, scenarios should be 
constructed by a diverse group of people for a single, stated purpose. Scenario planning can 
incorporate a variety of quantitative and qualitative information in the decision-making process. 
Often, consideration of this diverse information in a systemic way leads to better decisions. 
Furthermore, the participation of a diverse group of people in a systemic process of collecting, 
discussing, and analyzing scenarios builds shared understanding (Peterson, 2003). 

Hidden risks that we can’t name a priori maybe revealed by construction of scenarios. A scenario 
may be an especially important ingredient for the prospection process: 

• Postulating the intersection of unpredictable disruptive technologies, events, and 
conditions within aviation and the surprise influences from external domains. 

• Suggesting unexpected uses of technology— plus attendant novel hazards and risks— not 
anticipated by the original designers. 

Often the telltale signs of risk do not manifest themselves in actual exposure to, say high- visibility 
fatal accident types — such as controlled flight into terrain, loss of control, and system component 
failures— but may be found in threats observed in high-risk incidents that didn’t result in fatalities. 
Decisions and actions by maintenance personnel, accuracy of weather predictions and how they get 
communicated, personnel training/demographics, and a host of other phenomena can trigger or 
amplify the threats that are present in the system. 

As the aviation community looks into the future, key questions must be addressed within the risk 
control process: 

• Does the risk exceed an acceptable level (e.g., regulatory standards, action levels)— the 
“As Low As Reasonably Practical” (ALARP) test? 

• What steps might be taken to reduce or eliminate the remaining risks? 

• What is the effectiveness of those risk countermeasures against the threats? 

• What is an appropriate balance among risks, benefits, and resources to manage risks? 

• Will new, unknown risks appear in the future as a result of present or planned 
management steps to control the known risks? 

• What is the net effect of risks, mitigations, and new hazards introduced by the 
mitigations: the so-called “residual risks?” 

Regardless of the method or technique used to manage future risk, two essential ingredients are 
necessary for prospective insight and practicality: 

• A sufficiently broad picture of the future (from plausible scenarios) including 
contributing factors to hazard and risk generation that users of the method might not 
naturally consider. 
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• Guarantees that key front-line personnel such as pilots and air traffic controllers with 
knowledge of the dynamic hazard environment participate in the application of the risk 
assessment method. Safety analysis must not occur in a vacuum that excludes this 
operational expertise. 

Without both ingredients, no method used by an analysis team regardless of how theoretically robust 
it may be will yield practical results. 

As the prospective approach will reveal, risk events are about the uncertain, complex futures , which 
cannot be predicted precisely. If an event does occur, then maybe it is a problem to be solved and 
avoided in the future but it is no longer a potential risk event. So, prospective risk assessment is 
about being ready— about “future-proofing” aviation— not trying to precisely predict it. This is 
where the range of possible futures offered by the prospection process and scenario development 
comes in. 

Several major factors and useful measures that influence the prediction of risk and stability in 
financial systems, based on what we observe for all other systems with human involvement. These 
factors must be considered in any predictive methodology. 

1. Duffey’s Universal Learning Curve (Duffey, 2011) provides a comparative indication of 
learning due to observed trends. 

2. The probability of failure/loss is a function of experience or risk exposure. 

3. One relevant measure of failure is the rate of fatal aircraft accidents; there may be others. 

4. A relevant measure of experience and risk exposure could be the accumulated flight 
hours for a crewmember or the number of flight operations. 

5. Stable systems are learning systems that reduce complexity. 

6. An absolute measure of risk and uncertainty is the Information Entropy 7 , which reflects 
what we know about what we do not know. 

7. Unique conditions exist for systemic stability. 

8. Repeat events are likely— the so-called “cosmic cycles of accidents” in which the people 
who remember the lessons learned from major accidents move on and the organizations 
do not consciously retain those lesson learned. Re-awareness maybe one of the biggest 
issue facing safety. Monitoring the trends in “hits” on “lessons learned” organizational 
websites may provide indicators of the efficacy of transmission of wisdom and insight to 
newer personnel. 

9. Existing systems are unstable unless learning is continually occurring . This has great 
significance for the western aviation system in which fatal accidents are in that category 
of statistically extremely rare events. 

10. New systems are unstable during initial periods when experience is negligible. 


Information Entropy is a concept from information theory. It tells how much information there is in an event. In 
general, the more uncertain or random the event is, the more information it will contain. Random, “Black Swan" events 
therefore can contain a great deal of insightful information about connections and failure mechanisms we didn't know 
about. Mathematician, Claude Elwood Shannon, created the concept of information entropy. 
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Within the possible futures are: 

• major trends for which indicators can be found in today’s information 

• major uncertainties for which there is consensus among safety experts 

• possible changing conditions and ruptures affecting aviation that no one can predict 

Heuristics can be a significant aid to prospection and future system characterizations. People rely on 
a limited number of heuristic principles that reduce the complex task of assessing probabilities. In 
general, these heuristics are quite useful, but sometimes they can lead to severe and systematic 
errors. The subjective assessment of probability resembles the subjective assessment of physical 
quantities such as distance or size. These judgments are all based on heuristic rules. 

For example, the apparent distance of an object is determined in part by its clarity. The more sharply 
an object is seen [as a result of, say a lack of atmospheric haze], the closer it appears to be. However, 
reliance on this rule can lead to systematic errors in the estimation of distances (Kahneman, 1982). 
This was the experience of Apollo astronauts on the moon. The lack of an atmosphere made objects 
on the distant horizon appear much closer than they really were. 

In addition, the elicitation of unbiased judgments and the reconciliation of incoherent assessment 
[from the personal heuristics employed by multiple human raters] pose serious problems [for 
Bayesian methods] that presently have no satisfactory solution (Lindley, 1979) (Shafer, 1983). 

2.5 Heuristics as an Aid to Prospection 

Heuristics can be an important aid in a prospective approach to risk analysis of complex aviation 
futures because they offer ways to: 

• find resolution or discover trends. 

• deal with complexity without losing information. 

• summarize and/or organize experience. 

• achieve powerful insight— sometimes with dry humor! 

Exemplar heuristics that can apply to aviation safety include, but are not limited to: 

• “A single insight is worth a thousand analyses.” 

• “Contain excess energy as close to the source as possible.” 

• “The thought that disaster is impossible often leads to an unthinkable disaster” 

(Weinberg, 1985). 

• “When big systems fail, the failure is often big” (Gall, 2002). 

• “The better adapted you are, the less adaptable you tend to be” (Weinberg, 1985). 

• “A temporary patch will very likely be permanent” (Gall, 2002). 

The Areas of Change list (Future Aviation Safety Team, 2012) compiled by the ECAST Future 
Aviation Safety Team is an example of predictive heuristics useful for prospective safety 
assessment. Exemplar future-trend heuristics from this list include: 

• Increasing use of Controller Pilot Data Link Communication (CPDLC) for weather 
information and advisories/clearances. 
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• Shift from clearance-based to trajectory-based air traffic control. 

• Increasing reliance on satellite-based systems for Communications, Navigations, and 
Surveillance (CNS) Air Traffic Management functions. 

• Increased traffic flows involving closely-spaced parallel, converging, and intersecting runway 
operations. 

• Increasing operations of military and civilian Unmanned Aerial Systems (UAS) in shared 
military, civilian, and special use airspace. 

• Increasingly integrated and interdependent aircraft systems. 

• Emergence of high-energy propulsion, power, and control systems. 

• Increasing functionality and use of personal electronic devices by passengers and flight crew. 

• Entry into service of commercial, space-tourism passenger vehicles. 

• Shortened and compressed type rating training for self-sponsored pilot candidates. 

3. A Prospection Workshop Technique 

The following practical approach enables teams to identify and form into a hierarchy the main 
prospective “stakes” of the future— the strategic visions and priorities for aerospace manufacturers, 
operators, and regulators in the evolving landscape of tactical safety. A typical “stake” may be a 
target level of safety (TLS; a given percentage reduction in fatal aviation accidents; a reduction in 
the frequency of close-calls; or a desired increase in system throughout or flight delay reduction. 

Such an analysis can be achieved by employing the 12-step workshop approach described 
below (Godet M. , 2004) . This is a suggested starting point to activate a futures mind set— it 
does not replace the detailed risk and controls assessments that may need to be carried out by a 
user organization. 

Step 1. The leader of the analysis team asks participants to identify: a) expected; b) desired; and c) 
feared changes based on a particular future aviation system or concept of operation as they 
understand it as well as their notions of the future environment in which that system will be 
immersed. The Future Aviation Safety Team (FAST) Areas of Change list described earlier 
and similar reference prospective documents may provide useful input information. 

Step 2. Identify the inertias— those forces which will tend to keep the system moving its current 
direction whether safe or vulnerable. Examples of safety inertias include existing safety 
nets such as Enhanced Ground Proximity Warning System (EGPWS), and Minimum Safe 
Altitude Warning (MS AW). Other types of inertias include external forces such as pilot 
supply and the inevitable introduction of Unmanned Aerial Systems in the airspace 
system. A suggested method for collecting these changes and inertias from the workshop 
participants is the so-called “635” Method 8 : 

The “635” Method for knowledge elicitation consists of breaking an 
analysis team into groups of 6 persons each. Within each group, each of the 
six individuals is then given a worksheet with 18 rows and 2 columns: One 
for the changes and one for the inertias. The moderator then gives each 


g 

635 Method: http://www.thinkthru.info/methods/635-method.aspx 
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person five minutes to identify no more than three changes and three 
inertias. At the conclusion of the first five minutes, each person passes the 
worksheet to the person on his or her right, and the process of filling in the 
next three rows continues. This process is complete when all six 
participants have filled in all worksheets over the course of a 30-minute 
time period. The advantage of the 635 technique is that it provides a very 
structured process; each person has the same opportunity to generate ideas 
because their creativity takes place “in secret” without dominance from 
personalities; it generates many ideas (6 persons x 3 ideas each x 6 5- 
minute time periods = 108 potential ideas) in a short time span; it features 
spontaneity; and it is suitable for untrained participants. The potential 
disadvantage of each person seeing the previous person’s inputs on the 
worksheet, and hence adding bias, is probably more than offset by the 
themes and interactions the participants begin to see among theirs and 
previously generated ideas. 

Step 3 . Individual results are presented to the group in order to build a common list of changes and 
inertias through several rounds of open discussions. To be effective and to limit bias, the 
individual results should be written, compiled, and completed by each individual (devoid of 
interaction with others in the group) before beginning discussion as described in the 635 
method described above. 

Step 4. Aggregate the individual preferences among the group in order to identify the five to ten 

major changes and inertias that appear to be, according to blind voting consensus, the major 
issues for the future. 

Step 5 . Place the consensus changes and inertias within matrices of importance (weak or strong 
along the ordinate) versus level of control of those inertias (weak or strong along the 
abscissa). (See Figure 2.) 

Step 6. For both critical changes and critical inertias— those that are of high-priority because 
they are both important and over which we have weak control, conduct a group 
brainstorming session asking two questions that will move critical changes and inertias 
to the desired outcome quadrant: 

• How can we reduce the importance (safety significance)? 

• How can we strengthen their control? 

The four quadrants in the matrix (Figure 2) break down as follows: 

A. Critical changes and inertias affecting future stakes: the important changes 
that we have not yet mastered (strong control). 

B. Important changes or inertias already mastered by aviation. 

C. Unimportant changes or inertias that are not yet mastered, (so-called 
“Guiltless Weaknesses”). 

D. Unimportant changes or inertias that may have been mastered some time 
ago. These inertias often feature prominently in safety discussions because 
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the community believes it has mastered them, (known as “Useless 
Strengths”). 

The pending FAA Advisory Circular, AC 120-92A, that provides guidance for effective 
operation of a Safety Management System (SMS), states that that the performance objective 
of SRM is to “develop processes to understand the critical characteristics of its systems and 
operational environment and apply this knowledge to identify hazards, analyze and assess 
risk and design risk controls.” Thus it is highly important to identify the critical inertias and 
changes embodied in the critical [safety] characteristics of the postulated aviation future 
(Quadrant A, Figure 2). 


High 

Importance 

A. 

Critical Changes 

B 

J 

Low 

Importance 

C 

D. 

Desired Outcome 


Weak Control 

Strong Control 


Figure 2. Diagram the changes and inertias within matrices of 
importance versus level of control. 


Step 7. Identify the stakes and objectives for the future aviation system under study. A reminder: A 
typical “stake” may be a target level of safety (TLS) or a given percentage reduction in fatal 
aviation accidents or a desired increase in system throughout or flight delay reduction. The 
Tool for Risk Identification and Display (TRIAD) (Mauro, 2009) strongly suggests separate 
risk analysis for the major threat types or “stakes” of risk: fatal accident and injury, property 
damage, mission success (i.e., achieving desired fuel burn, delay reduction, reduced noise 
footprint, etc.), and the important— but ofter overlooked - factor known as social 
amplification 9 : the roles of the media and crisis management decisions in shaping the 
reactions of the public and thus determining indirect consequences that can be of crucial 
importance (BURNS, 1993). 

Step 8. Identify the necessary actions (Objectives) in order to address the stakes and reach current 
system objectives and list them in Table 4. 


’ When a risk undergoes social amplification either within a technical domain or in media or legislative spheres of 
influence, the demand for action against the perceived risk may actually result in costs for new mitigations that are out of 
proportion to the actual risk across fleets and the aviation system. The requirement for costly new-airplane fuel tank 
inerting in response to the one-off TWA 800 accident may be an example of this phenomenon. 
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Table 4. Objectives (from Critical Changes and/or Inertias to Action) 


Critical 

Changes 

Stakes for 
Aviation Safety 

Objectives Required to 
Achieve Those Stakes 

Ideas of Possible Measures to 
Implement Objectives 

























Critical 

Inertias 

Stakes for 
Aviation Safety 

Objectives Required to 
Achieve Those Stakes 

Ideas of Possible Measures to 
Implement Objectives 






















Step 9. Using Table 4, conduct a brainstorm discussion of and record the answers to the 
following questions: 

• Who are the other actors affected by these changes? 

• What are the points of leverage (acting for or against action)? 

• How to improve the control over major changes? 

• How to reduce the importance of uncontrolled changes? 

• How to reduce system weaknesses and better exploit system strengths? 

Step 10. Based on the critical issues identified in above, using Table 5 list the probable solutions as 
well as possible ruptures. 
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Table 5. Solutions and Possible Ruptures 


Critical 

Changes 

Solutions 

Possible Ruptures 



















Critical 

Inertias 

Solutions 

Possible Ruptures 

















Step 1 1 . Using the information from Table 4 and Table 5 and knowledge of probable future 

environments, create two or three plausible exploratory scenarios involving the future 
system under study. 

Step 12. From these scenarios, extract the major hazards and prospective risks and possible needed 
revisions to or augmentations of control measures. The following interrogatives may be 
helpful in identifying phenomena in the scenarios that create risks and weaknesses in 
control measures: 

• Does this phenomenon increase the likelihood of well- understood current 
hazards that will exist in the Future? If so, by what mechanism? 

• Does this phenomenon, create new hazards synergistically via interactions 
with other phenomena or with elements of the future system of interest that 
would not have come into being without the presence of the phenomenon? If 
so, by what mechanism? 

• Does this phenomenon increase the subjective likelihood of future hazards to 
an unacceptable level? If so, by what mechanism? 

• Does this phenomenon create increased potential for human error, 
procedural non-compliance or equipment failure? If so, by what 
mechanism? 

• Does this phenomenon decrease the resilience of the projected safety 
system? If so, by what mechanism? 
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• Does this phenomenon render the projected safety systems more brittle to 
off-nominal conditions? If so, by what mechanism? 

• Does this phenomenon decrease safety levels during non-normal or 
emergency operations within the projected future system of interest? If so, 
by what mechanism? 

• What current and projected safety assurance measures within the future 
system of interest may be lost or rendered ineffective as a result of this 
phenomenon? If so, by what mechanism? 

• Does this phenomenon require creation of new control measures for critical 
aspects of the future system? Definition: A control measure is an action or 
procedure that will reduce, prevent or eliminate a potential hazard. If so, by 
what mechanism? 

• Does this phenomenon adversely affect critical control points or critical 
limits? Definitions: A critical control point is a step at which a control 
measure is applied. A control limit is a maximum and/or minimum value for 
controlling a physical parameter. If so, by what mechanism? 

• Will this phenomenon create new conditions that are currently not part of the 
design assumptions for future systems and procedures? If so, by what 
mechanism? 

• Will this phenomenon result in decreased skill levels and judgment among 
operators of future systems? If so, by what mechanism? 

The following practical guidance will result in maximum success for such a workshop 10 : 

• Permit adequate time for presentation, discussion, and understanding of the particular concept 
of operation or set of scenarios that will be the focus of the future safety risk assessment. 
Many safety and operational considerations will come up during the presentation of the 
concept under study if sufficient time is set aside. Operational experts that are not in the 
specific field of the concept under analysis come up with highly relevant insights as they get 
exposed to a more detailed briefing on the concept under study. 

• Potential system- wide impacts that will emerge via consensus expert judgment should be 
recorded prior to beginning the change/hazard/risk assessment analysis exercise. 

• An adequate level of specificity is needed when describing the estimated prevalence and 
other criteria characterizing a critical change. Avoid information that is too vague and 
therefore not actionable. 

• Establish a hazard taxonomy and stick with it. 

• Brainstorming discussions need to be conducted in a structured manner to prevent each 
person from being overly influenced by their own mental model 11 . Hazards and possible 
ruptures should brainstormed in a group setting rather than individually. A richer set of 
material will emerge if the brainstorming is led by a trained facilitator. 


From the lessons learned by the Future Aviation Safety Team in 2011 while developing a predictive safety 
methodology for the Joint Implement Measurement Data Analysis Team (JIMDAT) operating under the U.S. 
Commercial Aviation Safety Team (CAST). 

For guidance on effective structured brainstorming sessions see: H.H. De jong. Guidelines for the identification of 
hazards: How to make unimaginable hazards imaginable , Contract Report NLR-CR-2004-094, National Aerospace 
Laboratory NLR, 2004 
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• Unambiguous guidance must be given on how to approach the hazard and rupture 
identification process in order to yield consistent results. 

• Broad themes will be relatively easy to identify. They will lend themselves to a systematic, 
matrix-based interaction analysis. These themes may be useful in conducting a Markov 
Network-style analysis of interaction paths leading from a fully-functioning systems to 
successively greater levels of: 

- Degraded system performance arising from the emergence of the identified hazards to a 

- Fully failed system state. 

• What may be of most value to the aviation community is a list of un-ranked hazards (and 
potentially an organizational structure for them) that are generated and regularly updated by 
a dedicated, multi-disciplinary group of subject-matter experts. This list of possible future 
hazards may be a product that many organizations will incorporate into their existing, 
internal risk assessment process. Each stakeholder organization may have its own value 
system for prioritizing future hazards that are identified in the workshop process. 

• Tangible products from any team looking ahead at safety will be most useful if they have the 
following features: 

- A continuously updated system-of-system definition the future so organizations can 
identify key phenomena that may impact the safety viability of the products they intend 
to market in the future. This future definition becomes the starting point for internal, 
anticipatory risk-reduction efforts. 

- A continuously updated set of future hazards and potential interaction paths leading to 
novel, potentially high-risk scenarios. 

These outputs may have great value for the research community because they will identify 
key future conditions and hazards for which research solutions should be developed. 
Furthermore, this set of outputs might be a natural fit within the set of Aerospace Information 
Reports (AIRs) published periodically by the SAE S- 1 8 Aircraft and System Development 
and Safety Assessment Committee. 

• The output of the workshop should include a means to identify and record the assumptions 
and risk factors in the future descriptions or scenarios. Risk factors may include an 
approach to identify and analyze non-related phenomena that may be important from a 
safety point of view. 

• A final workshop product should be a list of specific phenomena to monitor for the 
emergence of system-wide and tactical vulnerabilities. 
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4. Conclusion 


In order to form a reliable “prospective” picture of the future risk landscape in aviation, it is not 
enough to enquire about objectively measureable, rationally comprehensible hazards and risks 
(International Risk Governance Council, 2011). One must understand the factors driving the future 
risk landscape: changes in needs, interests, visions, hopes, and fears of the major players. 

As with any safety assessment process, the users of prospective methods discussed herein must take 
into account how the results of the analyses and possible recommendations for corrective action will 
be used within the stakeholder organization. It may be necessary to pre-condition the recipients of 
the proposed prospective analysis approach to ensure that the results produce the needed response. 

The prospection-based approach introduced in this paper is concerned with: 

Question 1 : What could happen? 

Question 2: What can I do? The moment an organization begins to address this question 
the inquiry moves into the strategic realm. Once these first two strategic 
questions have been broached, the safety inquiry continues. 

Question 3: What will I do? 

Question 4: How will I do it? 

The connection between prospection and proactive strategy occurs between (Question 2) and 
(Question 3) (Godet M. w., 2010). 

For simple, linear systems, loss events can be precisely predicted if cause-and-effect relationships 
are known and all variables can be measured with sufficient accuracy. That is why fatigue life of 
certain aircraft components can be accurately predicted if sufficient testing and operational evidence 
is available. 

For complex systems, however, accurate predictions are challenging. No one can predict where and 
in what context the next aviation accident will occur. Yet it is possible to estimate the risk, or 
average frequency and impacts of aviation accidents over, say the next year or two. Using the 
prospective approach outlined in this document, one may have increased confidence in looking 
down the road somewhat farther. 

The real difficulty of future risk assessment is not complexity per se, but in the accelerated rate of 
change of complex systems. The faster the risk landscape changes or shifts under our feet, the more 
risks can remain largely unidentified by current methods or become incalculable. It is no longer just 
individual parameters but entire systems that are changing with increasing speed. For this reason, the 
potential for unpleasant surprises become greater (International Risk Governance Council, 201 1). A 
prospective approach— utilizing the simple workshop technique described herein— offers the 
“prospect” for minimizing surprises in futures that may evolve along different, plausible paths. 
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